asterisk -- Crash on ACK from unknown endpoint

Details

VuXML ID

7fda7920-7603-11e6-b362-001999f8d30b

Discovery

2016-08-03

Entry

2016-09-08

The Asterisk project reports:

Asterisk can be crashed remotely by sending an ACK to
it from an endpoint username that Asterisk does not
recognize. Most SIP request types result in an "artificial"
endpoint being looked up, but ACKs bypass this lookup.
The resulting NULL pointer results in a crash when
attempting to determine if ACLs should be applied.

This issue was introduced in the Asterisk 13.10 release
and only affects that release.

This issue only affects users using the PJSIP stack
with Asterisk. Those users that use chan_sip are
unaffected.